Xpherium
Policies

Privacy Policy

Privacy and data protection illustration
Back to Home

Privacy Policy

Last updated: 09/28/2025

XPHERIUM — PRIVACY POLICY

Effective Date: 09/28/2025

Who we are. This Privacy Policy describes how Xpherium ("Xpherium," "we," "us," or "our") collects, uses, shares, and safeguards information in connection with our websites, products, and services that link to this Policy (collectively, the "Service").

Contact us: support@xpherium.com
Address: 4275 Executive Square, Suite 200 #1047, San Diego, CA 92037

If you use Xpherium on behalf of a company, that company is the Customer and controls certain data and choices. This Policy applies to our role as a business/controller for our own website/app data and as a service provider/processor when we process Customer Data on behalf of our Customers.

1) Scope & Roles

  • Customer Data (Processor role). When a Customer connects a CRM or uploads spreadsheets to the Service, we process that Customer Data under the Customer’s instructions and contract. The Customer is the controller/business and is responsible for lawful collection and for responding to data rights requests concerning Customer Data. We act as a processor/service provider.
  • Xpherium Data (Controller role). We are the controller/business for data we collect about website visitors, account users, and billing/operations.

If you are an end user whose information is in Customer Data, please direct privacy requests to the Customer (your provider/employer). We will assist the Customer per our agreement.

2) Information We Collect

A. Information you provide to us

  • Account & profile: name, business email, password, role, company name, phone.
  • Billing: billing contact details; limited payment data via our payment processor (we do not store full card numbers).
  • Support & communications: messages, attachments, survey responses.
  • Content & uploads: CRM connections, CSV/Excel files, custom labels/notes.

B. Information we collect automatically

  • Usage & device: IP address, device/browser type, settings, pages viewed, referring/exit pages, timestamps, language, approximate location (city/region).
  • Product telemetry: features used, clicks, error logs, performance metrics.
  • Cookies & similar tech: cookies, local storage, SDKs, pixels (see Cookies below).

C. Information from third parties

  • Integrations: data from connected services (e.g., CRM, billing, analytics) as configured by the Customer.
  • Partners & service providers: lead data, referral and campaign info, anti‑fraud signals.
  • Public & commercial sources: business contact data, industry classification.
Do not upload special categories of data (e.g., health, biometric, children’s data, precise geolocation, government IDs, full payment cards) unless we have a written agreement that specifically allows and safeguards such data.

3) How We Use Information

  1. Provide the Service: authenticate users, host and process Customer Data, render insights, and operate features and integrations.
  2. Improve & secure: monitor performance, fix bugs, prevent abuse, and enhance models/logic (including the creation of de‑identified/aggregated analytics that do not identify individuals).
  3. Communicate: send transactional messages (notices, updates, security alerts) and—if permitted—product tips or marketing you can opt out of.
  4. Billing & administration: account management, payments, tax, and accounting.
  5. Legal & compliance: enforce terms, comply with law, and respond to lawful requests.

AI/Model improvement. We may use de‑identified or aggregated patterns derived from Customer Data to improve features (e.g., benchmarks, anomaly thresholds) without identifying customers or individuals. We do not use Customer Data to train third‑party foundation models.

Automated decision‑making. We provide risk scores and recommendations to assist users; decisions are ultimately made by our Customers. You may request human review through the Customer’s process.

4) Legal Bases (EEA/UK/Switzerland)

Where applicable, we rely on: (i) contract performance (to provide the Service), (ii) legitimate interests (e.g., security, improvement, limited marketing), (iii) consent (where required, e.g., certain cookies/marketing), and (iv) legal obligations.

5) How We Share Information

  • Service providers & sub‑processors who help us operate the Service (hosting, storage, email/SMS, analytics, payment processing, customer support). They are bound by confidentiality and use limits.
  • Integrations you connect (e.g., CRM, email providers). Sharing occurs under your configuration and the integration’s terms.
  • Professional advisors (law, accounting) under confidentiality.
  • Corporate transactions (merger, acquisition, financing, sale of assets) subject to appropriate safeguards.
  • Legal: to comply with law, protect rights, safety, and investigate abuse.

We do not sell personal information. We do not share personal information for cross‑context behavioral advertising without providing the required opt‑outs where applicable.

6) Data Retention

  • Customer Data: retained for the subscription term and then deleted or returned within a reasonable period per contract, unless law requires longer retention or Customer instructs otherwise.
  • Account & operations data: retained as long as needed for the purposes above (typically the customer relationship plus applicable limitation periods). We may retain aggregated/de‑identified data that does not identify you.

7) Security

We use reasonable administrative, technical, and physical safeguards (e.g., encryption in transit, access controls, logging). No method of transmission or storage is 100% secure. If we discover a security incident affecting personal information, we will notify affected parties as required by law and our contracts.

8) International Data Transfers

We may transfer information to countries other than where it was collected. Where required, we use appropriate safeguards (e.g., EU Standard Contractual Clauses) and assess the recipient country’s laws.

9) Your Rights & Choices

Depending on your location, you may have rights to access, correct, delete, port, restrict, or object to certain processing, and to withdraw consent where processing is based on consent.

  • For Customer Data: contact the Customer (data controller). We will assist them in responding to your request.
  • For Xpherium Data: contact us at support@xpherium.com. We may need to verify your identity and location.

Marketing choices. You can opt out of marketing emails via the link in the message. We will still send transactional notices.

Do Not Track. Our sites do not respond to Do Not Track signals, but we honor legally required opt‑outs for targeted advertising where applicable.

10) Cookies & Similar Technologies

We use:

  • Strictly necessary cookies: login, session, security.
  • Functional cookies: preferences, product settings.
  • Analytics: usage and performance (in aggregated form where possible).
  • reCAPTCHA & anti‑abuse: to prevent spam and abuse on forms.

You can control cookies via browser settings and, where required by law, via our cookie banner/consent manager. Blocking cookies may limit functionality.

11) Third‑Party Links & Services

The Service may link to or integrate with third‑party sites and services. Their privacy practices are governed by their policies. We are not responsible for their content or practices.

12) Children’s Privacy

The Service is not directed to children under 16, and we do not knowingly collect personal information from them. If you believe we have collected such information, contact us and we will take appropriate steps.

13) State‑Specific Notices (U.S.)

California (CPRA)

  • Categories collected: identifiers (e.g., name, email, IP), commercial information (plan, transactions), internet/usage data, professional info, inferences (limited, for product analytics).
  • Sources: you, your organization, integrations, your devices, service providers.
  • Purposes: as described in Section 3.
  • Disclosures: to service providers and for security/compliance; no sale of personal information. We also do not share personal information for cross‑context behavioral advertising without offering opt‑out where applicable.
  • Rights: access/know, delete, correct, portability, limit use of sensitive information (we generally do not process sensitive personal information), and non‑discrimination. Submit requests at support@xpherium.com.

Other states (VA, CO, CT, UT, etc.)

We will honor applicable U.S. state privacy rights. Contact support@xpherium.com to exercise rights.

14) Data Controller & How to Contact Us

Controller (for Xpherium Data): Xpherium, 4275 Executive Square, Suite 200 #1047, San Diego, CA 92037.
Email: support@xpherium.com

For EEA/UK users, you may have the right to lodge a complaint with your local supervisory authority. We would appreciate the chance to address your concerns first.

15) Changes to This Policy

We may update this Policy from time to time. If changes are material, we will notify you (e.g., by email or in‑app). The updated Policy is effective when posted unless stated otherwise.

16) Additional Disclosures for Enterprise Customers (optional)

  • Sub‑processor list: We maintain a list of current sub‑processors available upon request and will provide advance notice of material changes.
  • Data Processing Addendum (DPA): Available upon request; we will sign Customer‑provided DPAs that are substantially similar to our standard.
  • Security overview: Summary of controls and architecture is available upon request under NDA.

17) Summary of Roles (Quick Reference)

  • Customer Data (uploaded/connected operational data): Customer = Controller/Business; Xpherium = Processor/Service Provider; governed by contract/DPA.
  • Xpherium Data (website, account, billing, telemetry): Xpherium = Controller/Business; governed by this Privacy Policy.

Last reviewed: 09/28/2025